Malware World 2010Beware the PredatorsToralv DirroMcAfee Labs EMEA Security Strategist
Confidential McAfee Internal Use Only
$70mio International Cybercrime Ring Busted
• October 1st 2010: Operation Trident Breach– Investigations began in May 2009– 60 criminals charged, 10 arrested– International Partnership with SBU and other authorities
• The Federal Bureau of Investigation, including the New York Money Mule Working Group, the Newark Cyber Crime Task Force, the Omaha Cyber Crime Task Force, the Netherlands Police Agency, the Security Service of Ukraine, the SBU, and the United Kingdom’s Metropolitan Police Service participated in the operation.
– The cyber thieves targeted small- to medium-sized companies, municipalities, churches, and individuals, infecting their computers using a version of the Zeus Botnet. The malware captured passwords, account numbers, and other data used to log into online banking accounts. This scheme resulted in the attempted theft of $220 million, with actual losses of $70 million from victims’ bank accounts
2
Confidential McAfee Internal Use Only
FOCUS 09Anatomy of a scareware company
http://www.internetnews.com/security/article.php/3842936/McAfee+FOCUS+09+Anatomy+of+a+Scareware+Scam.htm
Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Dirk Kollberg, from McAfee Labs, unearthed some astonishing operational details including the following: • Innovative Marketing used more than 34 different production servers in less than six months and used
as many as six different servers at a time to infect, advertise and sell their illicit wares. • In one 10-day stretch, the company received more than 4 million download requests, meaning that at
least 4 million people tried to buy the worthless applications. • Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes,
making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses.
• It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were "happy" when the call concluded.
• Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs "abuseability"—essentially an assessment of which ISPs would play ball and not ask questions as they went about their business.
• The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year.
Confidential McAfee Internal Use Only
FTC vs. Innovative Marketing
„ The FTC succeeded in persuading a U.S. federal judge to order Innovative Marketing and two individuals associated with it to pay $163 million it had scammed from Americans. Neither individual has surfaced since the government filed its original suit more than a year ago. But Ethan Arenson, the FTC attorney who handled the case, warned: "Collection efforts are just getting underway."“
(Source: Reuters)
Confidential McAfee Internal Use Only
Price Estimates for Credit and Debit Card Dumps
Dumps are information electronically copied from the magnetic stripe on the back of credit and debit cards. Prices for these data vary, depending on the inclusion of the card’s PIN.
Confidential McAfee Internal Use Only
The Malware MarketTrojan and Exploit Kits easily available
Confidential McAfee Internal Use Only
Zeus: Development of a Trojan Kit
Confidential McAfee Internal Use Only
Mergers and Accquisitions: SpyEye & Zeus
Confidential McAfee Internal Use Only
9November 25, 20109
Cyber Crime Altering Threat Landscape
Malware Growth (Main Variations)
200,000
400,000
100,000
300,000
500,000
2003 2004 2005 20062000 2001 2002 2007
Source: McAfee Labs
Virus and Bots PUP Trojan
9
Confidential McAfee Internal Use Only
1November 25, 2010
2003 2004 2005 20062000 2001 2002 2007
Malware Growth (Main Variations)
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
Virus and Bots PUP Trojan
Cyber Crime Altering Threat Landscape
2008
Source: McAfee Labs10
Confidential McAfee Internal Use Only
1November 25, 201011
2008
Virus and Bots PUP Trojan
Cyber Crime Altering Threat Landscape
Malware Growth (Main Variations)
2,400,000
2,600,000
2,800,000
3,000,000
3,200,000
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
2009
Source: McAfee Labs11
Confidential McAfee Internal Use Only
Malware still growing strong
New pieces of malware per day:
2007: 16,0002008: 29,0002009: 46,000
Q1/2010: 40.000Q2/2010: 55.000
Q3/2010: 60.000
Number of malware samples in our database
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
Q10
8
Q20
8
Q30
8
Q40
8
Q10
9
Q20
9
Q30
9
Q40
9
Q11
0
Q21
0
Q31
0
Confidential McAfee Internal Use Only
Top 10 Malware Globally
1) Generic! AtrGeneric removable-device malware
2) Generic.dxGeneric downloaders and Trojans
3) W32/Conficker.worm!infRemovable-device Conficker worm
4) FakeAlert-FakeSpy!env.aLegitimate-looking fake anti-virus scam
5) Exploit-CVE2008-5353A JRE exploit that downloads a Trojan
6) GameVanceOnline gaming software that collects stats anonymously
7) Generic PUP.xGeneral-purpose potentially unwanted programs
8) Adware-Hotbar.bAdware program
9) Exploit-ByteVerifyJava applet Trojan
10) Adware-URL.genAdware program
Two notable adware programs have joined the top ten list, both spread via malicious websites.
Confidential McAfee Internal Use Only
Botnet Infections Held Steady
We have seen new botnetinfections hold steady at around six million per month.
-500,000
1,000,000 1,500,000 2,000,000 2,500,000 3,000,000
Sep-
09
Oct
-09
Nov
-09
Dec
-09
Jan-
10
Feb-
10
Mar
-10
Apr-
10
May
-10
Jun-
10
Jul-1
0
Aug-
10
Sep-
10
Overall Botnet Infections Per Day
-
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
Sep-
09
Oct
-09
Nov
-09
Dec
-09
Jan-
10
Feb-
10
Mar
-10
Apr-
10
May
-10
Jun-
10
Jul-1
0
Aug-
10
Sep-
10
Overall Botnet Infections Per Month
Confidential McAfee Internal Use Only
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000S
ep-0
8O
ct-0
8N
ov-0
8D
ec-0
8Ja
n-09
Feb-
09M
ar-0
9A
pr-0
9M
ay-0
9Ju
n-09
Jul-0
9A
ug-0
9S
ep-0
9O
ct-0
9N
ov-0
9D
ec-0
9Ja
n-10
Feb-
10M
ar-1
0A
pr-1
0M
ay-1
0Ju
n-10
Jul-1
0A
ug-1
0S
ep-1
0
AutoRun And Koobface Level Off
Unique AutoRun Samples Discovered
0
5,000
10,000
15,000
20,000
25,000
30,000Ja
n-09
Feb-
09M
ar-0
9A
pr-0
9M
ay-0
9Ju
n-09
Jul-0
9A
ug-0
9S
ep-0
9O
ct-0
9N
ov-0
9D
ec-0
9Ja
n-10
Feb-
10M
ar-1
0A
pr-1
0M
ay-1
0Ju
n-10
Jul-1
0A
ug-1
0S
ep-1
0
Unique Koobface Samples Discovered
Confidential McAfee Internal Use Only
Fake Security Software Peaked in ’09But Remains High for This Lucrative Form of Cybercrime
Unique Password Stealers Samples Discovered
Unique FakeAlertSamples Discovered
050,000
100,000150,000200,000250,000300,000350,000400,000
Sep
-08
Oct
-08
Nov
-08
Dec
-08
Jan-
09Fe
b-09
Mar
-09
Apr
-09
May
-09
Jun-
09Ju
l-09
Aug
-09
Sep
-09
Oct
-09
Nov
-09
Dec
-09
Jan-
10Fe
b-10
Mar
-10
Apr
-10
May
-10
Jun-
10Ju
l-10
Aug
-10
Sep
-10
050,000
100,000150,000200,000250,000300,000350,000400,000450,000
Sep
-08
Oct
-08
Nov
-08
Dec
-08
Jan-
09Fe
b-09
Mar
-09
Apr
-09
May
-09
Jun-
09Ju
l-09
Aug
-09
Sep
-09
Oct
-09
Nov
-09
Dec
-09
Jan-
10Fe
b-10
Mar
-10
Apr
-10
May
-10
Jun-
10Ju
l-10
Aug
-10
Sep
-10
Confidential McAfee Internal Use Only
Zeus Is In a Class All By Itself
Zeus (Zbot or PWS-Zbot) is spread via download or phishing sites. Some Zeus campaigns switched from text to graphics in emails to avoid anti-spam technologies.
Confidential McAfee Internal Use Only
Websites Hosting Zeus
McAfee Labs is finding URLs dedicated to hosting Zeus.
-
500
1,000
1,500
2,000
2,500
Sep-
09
Oct
-09
Nov
-09
Dec
-09
Jan-
10
Feb-
10
Mar
-10
Apr-
10
May
-10
Jun-
10
Jul-1
0
Aug-
10
Sep-
10
Confidential McAfee Internal Use Only
Zeus Goes Mobile
User logs onto online
banking website
Tries to make money transfer
Bank asks for
additional code
Code sent to user’s phone via
SMS
User enters code to validate
transaction
Zeus intercepts so it can validate its own transactions
Then Zeus can send a message to the user’s phone directing them to
a malicious website
Confidential McAfee Internal Use Only
Cybercriminals Are Optimizing Their Threats for Search Engines
This quarter’s most poisoned search topics:
• Haiti earthquake
• Chile earthquake/Hawaii tsunami warning
• Toyota recall
• Apple iPad
• 2010 NCAA bracket/March Madness
• Tiger Woods apology
• Shamu attack/Florida shark attack
• Olympic luge tragedy
• Groundhog Day
• U.S. Health Care Reform Bill
Confidential McAfee Internal Use Only
And They Go Where We Go!
60% of Top Google Search Terms Returned
Malicious Sites in the First 100 Results
Confidential McAfee Internal Use Only
Web/Domain Reputation
Number of sites categorized in our Web- and Domain Reputation Services.
Top 15 Website Categories Number of Sites
Malicious Sites 14,475,580
Residential IP Addresses 6,040,787
Spam URLs 4,085,439
Pornography 2,815,319
Content Servers 2,511,339
Business 2,510,899
Phishing 1,474,321
Parked Domains 1,215,048
Travel 1,140,018
Anonymizers 997,863
Online Shopping 979,092
Real Estate 873,159
Instant Messaging 842,263
Government/Military 829,381
Marketing/Merchandising 826,286
Confidential McAfee Internal Use Only
Targeted Attacks
23
• A senior Pentagon official reveals details of a previously-classified malware attack he considers “the most significant breach of U.S. military computers ever.”
• Deputy Defense Secretary William J. Lynn III explains that in 2008, a flash drive believed to have been infected by a foreign intelligence agency uploaded malicious code onto a network run by the military's Central Command.
Source: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain
• "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."
• The incident led to a massive Pentagon response operation called "Operation Buckshot Yankee" aimed at purging infected systems of the malware and preventing something similar from happening again.
Confidential McAfee Internal Use Only
Targeted Attacks
• Targeted Attacks and Advanced Persistent Threats (APT)
• Attackers have lots of Ressources– 0-Days– Customized Malware
• But Ghost Net used of-the shelf Malware
• High Social Engineering Factor– Attachments with supposedly relevant information for the receipient– Links to supposedly relevant information– Email, Social Network Messages, IM
• Low Distribution to stay under the radar
Confidential McAfee Internal Use Only
Stuxnet: Under the Hood
• Discovered in July 2010 by VirusBlokAda company in Minsk, Belarus• First seen in Iran, Indonesia, India – now spread worldwide• Targets Siemens WinCC and SIMATIC Process Control System (PCS7)• Using four 0-day vulnerabilities plus Conficker (MS08-067)
– Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting everyversion of Windows since Windows 2000 (even Win95)
– Design flaw in Print Spooler (MS10-061/CVE-2010-2729)– Two privilege escalations exploits [win32k.sys]
• A user opens a folder that contains the .lnk template files (.pif files also vulnerable)• Rootkit drivers signed with valid certificates (Realtek and Jmicron)• UPX packed, XOR encoded everywhere• Once loaded, queries Siemens database with known default password• Connected to C&C servers, sending sensitive data• Manipulating the database to control the HMI output and manipulating the PLC’s
Confidential McAfee Internal Use Only
Stuxnet: a Targeted Attack Runs Rampant
Stuxnet, the first malware targeting industrial control systems, threatens critical infrastructure.
Confidential McAfee Internal Use Only
Protection Catching Up: „Cloud Security“
Confidential McAfee Internal Use Only
About that In-The-Cloud Security Thingie...
• „Invented“ 3 years ago
• Implemented one way or the other by most major AV vendors– And noone really documents what exactly they are doing
Confidential McAfee Internal Use Only
So this is how it works
Internet
No detection with existing DATs, but the file is “suspicious”
2
3 Fingerprint of file is created and sent using Artemis
4 Artemis reviews this fingerprint and other inputs statistically across threat landscape
5 Artemisidentifies threat and notifies client
User receives new file via email/web/network/USB1
6 VirusScan processes information and removes threat
Artemis
Collective Threat Intelligence
Confidential McAfee Internal Use Only
About that In-The-Cloud Security Thingie...
• „Invented“ 3 years ago
• Implemented one way or the other by most major AV vendors– And noone really documents what exactly they are doing
• So it‘s basically a file reputation service– Comparable to what has been done in other areas long ago
• AntiSpam• Domain Reputation
• Major benefit: Detection Speed (near real-time)– And it makes products look great in any test against collections (>99.9%)
Confidential McAfee Internal Use Only
Problems of that Cloud Security Thingie...
• True Serverside Polymorphism– Needs more metadata than just fingerprint
• Detection only available when online– Outbreak situation, Gateway down -> Detection gone
Confidential McAfee Internal Use Only
Evolution of Threat Detection
PredictiveLeveraging cloud-based reputation and multi-vector correlation to predict threats
Real-timeBehavior and cloud-based reputation technology reacting to queries
ReactiveTraditional signature-based defenses
0%Inception ofsignature-basedprotection
2007 2008 2010 and beyond
100%
100%
100%
2009
32
Confidential McAfee Internal Use Only
Threat Intelligence FeedsCorrelation of various Reputation Feeds
• IP addresses of attackers• Vulnerability utilized• Botnet affiliation• Malware responsible
• Mail/spam sending activity• Web access/referer activity• Malware hosting activity• Hosted files• Popups• Affiliations• DNS hosting activity
• Botnet/DDoS activity• Mail/spam sending activity• Web access activity• Malware hosting activity• Network probing activity• Presence of malware• DNS hosting activity• Intrusion attacks launched
• IP addresses distributing• URLs hosting malware• Mail/spam including it• Botnet affiliation• IPS attacks caused
Malware Domain/URL
IP address IPS attacks/vulnerabilities
Confidential McAfee Internal Use Only
Lots of data to correlate
November 25, 201034
• 2.5B Malware Reputation Queries/Month• 20B Email Reputation Queries/Month• 75B Web Reputation Queries/Month• 2B IP Reputation Queries/Month• 300M IPS Attacks/Month• 100M Ntwk Conn Rep Queries/Month• 100+ BILLION QUERIES
Queries
Nodes
• Malware: 40M Endpoints• Email: 30M Nodes• Web: 45M Endpoint and Gateway Users• Intrusions: 4M Nodes• 100+ MILLION NODES, 120 COUNTRIES
Confidential McAfee Internal Use Only
An ExamplePredictive Protection Against Widespread iFrame Injection Attack
35
Domain Reputation flagged anomalous web behavior (registration, traffic) for URL
iFrame injection attack ran malicious javascript, responsible for downloading malicious .EXEs
Protect against this attack, even as it propagated to many thousands of websites
May 7, 2010McAfee detects anomalous web activity; predictivelyadjusts web reputation
June 7, 2010McAfee systems pick up massive iFrame injection attack; protect against attack
June 9, 2010The media report iFrameinjection attack on more than 100,000 websites hosted on IIS servers using ASP.net
Confidential McAfee Internal Use Only
File Reputation
Evolution of malware detection to take into account the full file reputation spectrum: whitelist, blacklist, and reputation with infinite space for each
Web-hostedFiles
MalwareAssociatedwith Intrustion
Files Containing Web Calls
MalwareFiles
FileCorrelation
TrustedFiles
Confidential McAfee Internal Use Only
You are INFECTEDand don’t know it.
Confidential McAfee Internal Use Only
You are INFECTEDand know it.You are INFECTEDand don’t know it.
Confidential McAfee Internal Use Only
You are INFECTEDand don’t know it…but we DO.
Adding a Third Level of Detection
Confidential McAfee Internal Use Only
NDLP
NAC
SaaSSaaS
NIPS NTR NTBA WGNIPS NTR NTBA WG
FWFW
HIPS EGEGHIPS
WEB HIPS
R&C
AM
AC DLP
AM WEB HIPS
Confidential McAfee Internal Use Only
Other Protections available (soon)
• Application Control / Whitelisting– Most secure defense against malware, even targeted attacks– Still scaling issues
• Moves from dedicated devices to servers nowadays
• Advanced Behaviour Based Detection– Still on the horizon, gains importance with predictive detection– „Can you tell the difference between VNC and Netbus based on behaviour?“
• Network Based Detection of Irregular Traffic
• Cheap Trick: Mine your DNS Server for Treasure
Confidential McAfee Internal Use Only
Questions? More Info?
• Read the McAfee Labs Security Blog– http://www.avertlabs.com/research/blog
• Listen to the AudioParasitics Podcast– http://www.audioparasitics.com
• Read the Monthly Spam Report– http://www.mcafee.com
• Read the McAfee Quarterly Threat Report– http://www.mcafee.com
• Read the McAfee Security Journal– http://www.mcafee.com
• Watch the Stop H*Commerce Series– http://www.stophcommerce.com